Kibana Logstash ElasticSearch | Unindexed fields cannot be searched

Asked 27/5, 2015 at 1:52 Answered 7/7, 2023 at 14:10

I am exploring ELK stack and coming across an issue.

I have generated logs, forwarded the logs to logstash, logs are in JSON format so they are pushed directly into ES with only JSON filter in Logstash config, connected and started Kibana pointing to the ES.

Logstash Config:

 filter {
  json {
    source => "message"
  }

Now I have indexes created for each day's log and Kibana happily shows all of the logs from all indexes.

My issue is: there are many fields in logs which are not enabled/indexed for filtering in Kibana. When I try to add them to the filer in Kibana, it says "unindexed fields cannot be searched".

Note: these are not sys/apache log. There are custom logs in JSON format.

Log format:

{"message":"ResponseDetails","@version":"1","@timestamp":"2015-05-23T03:18:51.782Z","type":"myGateway","file":"/tmp/myGatewayy.logstash","host":"localhost","offset":"1072","data":"text/javascript","statusCode":200,"correlationId":"a017db4ebf411edd3a79c6f86a3c0c2f","docType":"myGateway","level":"info","timestamp":"2015-05-23T03:15:58.796Z"}

fields like 'statusCode', 'correlationId' are not getting indexed. Any reason why?

Do I need to give a Mapping file to ES to ask it to index either all or given fields?

Dynamic answered 27/5, 2015 at 1:52 Comment(2)

You should try adding an index template with custom fields definitions. – Myranda 27/5, 2015 at 3:4

I tried it. I still see my fields unindexed. When I go to Visualize and try to choose Term Filter for X/Y axis, not all fields are showing up in there. This is getting bit frustrating for me to get it working now, as I don't see much documentation/reference about it. – Dynamic 2/6, 2015 at 16:55

You've updated the Kibana field list?

Kibana.
Settings.
Reload field list.

Newer version:

Kibana.
Management.
Refresh icon on the top right.

Hydroxyl answered 2/7, 2015 at 7:47 Comment(4)

Worked for me too. Thanks! – Osyth 12/11, 2018 at 13:25

Should be a new step inserted before 3 under Newer Version: "Index Patterns" – Mason 9/3, 2020 at 16:8

Still doesn't work for me.... – Bereft 7/7, 2022 at 7:21

If you are using Opensearch (currently 2.7): Navigation > Stack Management > Index Patterns > click the index pattern > click the Refresh Field List icon - the count of number of fields should increase. – Assessment 2/8, 2023 at 12:38

As of 6.4.0:

The warning description puts it very simply:

Management > Index Patterns > Select your Index > Press the refresh button in the top right corner.

Fusible answered 18/9, 2018 at 9:13 Comment(0)

On the newer version (2023), you need to update the Kibana field list from here:

Management
Stack Management
Index Patterns
Choose the pattern
Hit the button "Refresh field list"

Adieu answered 7/7, 2023 at 14:10 Comment(0)

If you try to refresh and you can't solve it try to change index.blocks.write: "false"

enter image description here

Anachronistic answered 30/10, 2020 at 8:35 Comment(0)

Recommended topics

Hot tags